pixel_dreams - Fotolia
Cyber attack vectors remain largely the same year over year, attack volume will increase and cyber crime may be vastly underreported, according to the 2019 State of cybersecurity study from global IT and cyber security association Isaca.
“Under-reporting cyber crime – even when disclosure is legally mandated – appears to be the norm, which is a significant concern,” said Greg Touhill, Isaca board director, president of Cyxtera Federal and the first US Federal CISO.
“Half of all survey respondents believe most enterprises under-report cyber crime, even when it is required to do so.”
The survey of more than 1,500 cyber security professionals around the world, sponsored by HCL, also reveals that only a third of cyber security leaders have high levels of confidence in their cyber security team’s ability to detect and respond to cyber threats.
The highest levels of confidence are correlated with teams that report directly into the CISO, and the lowest levels are correlated with teams reporting into the CIO. According to the study, 43% of respondents say their teams report to a CISO, while 27% report to a CIO.
“What we can conclude from this year’s study is that governance dictates confidence level in cyber security,” said Frank Downs, director of Isaca’s cyber security practices. “When the cyber security team reports directly to a designated and experienced cyber security executive, team leaders have significantly more confidence in their teams’ capability to detect attacks and respond effectively.”
The survey indicates that enterprises often experience confusion when structuring cyber security with information technology. The survey report points out that a CIO’s main goal is managing and implementing information technology, which is substantially different to securing and protecting it.
Read more about cyber security and the business
- Businesses are failing to address growing cyber threats as business leaders admit to knowledge gaps, a lack of resources and confusion about who is responsible for data breaches, a report reveals.
- UK businesses are failing to get value out of cyber security because they fail to see its strategic importance and often have a negative attitude towards security professionals, a study has revealed.
- Audit, risk and security teams need to be equipped with the skills to communicate to their business’s teams in a way that enables them to better appreciate the priorities of the business and where these can be supported by security.
Where security reports to a CIO, the survey report said cyber security can become a secondary consideration, leading to a team’s lack of confidence in being cyber read. A higher percentage of respondents are confident in cyber security reporting to the CEO than to the CIO, the survey shows.
Part 1 of the Isaca report, released in March, highlighted workforce trends and challenges, while Part 2, released at Infosecurity Europe 2019 in London, covers attack trends.
The second part of the report shows that the top three threat actors remain cyber criminals, hackers and non-malicious insiders.
Phishing, malware and social engineering top the list of prevalent attack types for the third year in a row. Ransomware, however, is significantly down from 2018, with 37% of organisations reporting that they experienced ransomware in last year’s study, compared with 20% this year.
Just under half of organisations report an increase in cyber security attacks on their organisation this year, and 79% say it is likely they will experience a cyber attack next year.
“The cyber landscape is complex. Cyber security, though in focus today, suffers from a siloed and static approach,” said Renju Varghese, fellow & chief architect, cyber security & GRC, at HCL Technologies.
“Many teams are missing the attacks that significantly impact organisations because they don’t have the size or expertise to keep up with the attackers and are overwhelmed. Moreover, their existing security tools and processes are segregated and seldom work in tandem, leaving the teams staring at multiple consoles and drowning in alerts and incidents.”
Read more about cyber crime
- Businesses urged to respond to research findings that the ready availability of hacking tools, wildfire spread of malware and proliferation of cryptocurrency mining has seen a 300-fold increase in social media-enabled cyber crimes in two years.
- C-level executives, lawyers and doctors are the top extortion targets of cyber criminals, a report by researchers tracking thousands of sextortion attempts reveals.
- The discovery of billions more stolen usernames and passwords in Collections #2 to #5 have prompted fresh calls for the implementation of better authentication methods across industry.
However, according to Isaca’s Frank Downs, organisations can better prepare for the threats posed by cyber criminals by carefully analysing the variables that contribute to incident susceptibility and team inefficiency.
“Specifically, analysing key organisational attributes identified in the State of cybersecurity, such as cyber reporting structure, prevalent attack methods and team readiness through a culture of continuing professional education, organisations can increase their resilience to potential incidents,” he said.